Opened 3 years ago
Closed 21 months ago
#1421 closed Bug / Defect (wontfix)
ARM64 + Docker results in "TUNSETIFF tun: Function not implemented"
Reported by: | mlb5000 | Owned by: | |
---|---|---|---|
Priority: | major | Milestone: | |
Component: | Generic / unclassified | Version: | OpenVPN 2.5.1 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | |
Cc: |
Description
I'm hitting a strange error when attempting to connect to OpenVPN inside a Docker container running on Apple Silicon. I do NOT have problems with this exact image/configuration elsewhere. The only difference is that this was cross-built using docker buildx.
Basic Docker configuration (you'll need to add your own command)
FROM keymetrics/pm2:16-alpine RUN apk update RUN apk add openvpn nano curl
Then, if I attempt to connect inside that container, it runs into problems. The host has no issues connecting to the same server with the same config file/credentials.
2021-08-02T20:19:53.236Z - stdout: 2021-08-02 20:19:53 DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning. 2021-08-02T20:19:53.239Z - stdout: 2021-08-02 20:19:53 WARNING: file '//app/current.txt' is group or others accessible 2021-08-02T20:19:53.240Z - stdout: 2021-08-02 20:19:53 OpenVPN 2.5.2 x86_64-alpine-linux-musl [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] built on May 4 2021 2021-08-02T20:19:53.241Z - stdout: 2021-08-02 20:19:53 library versions: OpenSSL 1.1.1k 25 Mar 2021, LZO 2.10 2021-08-02T20:19:53.245Z - stdout: 2021-08-02 20:19:53 WARNING: --ping should normally be used with --ping-restart or --ping-exit 2021-08-02 20:19:53 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts 2021-08-02 20:19:53 NOTE: --fast-io is disabled since we are not using UDP 2021-08-02T20:19:53.258Z - stdout: 2021-08-02 20:19:53 Outgoing Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-08-02 20:19:53 Incoming Control Channel Authentication: Using 512 bit message hash 'SHA512' for HMAC authentication 2021-08-02T20:19:53.292Z - stdout: 2021-08-02 20:19:53 TCP/UDP: Preserving recently used remote address: [AF_INET]92.119.177.21:1443 2021-08-02T20:19:53.293Z - stdout: 2021-08-02 20:19:53 Socket Buffers: R=[131072->131072] S=[16384->16384] 2021-08-02 20:19:53 Attempting to establish TCP connection with [AF_INET]92.119.177.21:1443 [nonblock] 2021-08-02T20:19:53.315Z - stdout: 2021-08-02 20:19:53 TCP connection established with [AF_INET]92.119.177.21:1443 2021-08-02T20:19:53.315Z - stdout: 2021-08-02 20:19:53 TCP_CLIENT link local: (not bound) 2021-08-02 20:19:53 TCP_CLIENT link remote: [AF_INET]92.119.177.21:1443 2021-08-02T20:19:53.340Z - stdout: 2021-08-02 20:19:53 TLS: Initial packet from [AF_INET]92.119.177.21:1443, sid=8f7ff4e0 445650e0 2021-08-02T20:19:53.414Z - stdout: 2021-08-02 20:19:53 VERIFY OK: depth=2, C=VG, O=Surfshark, CN=Surfshark Root CA 2021-08-02T20:19:53.419Z - stdout: 2021-08-02 20:19:53 VERIFY OK: depth=1, C=VG, O=Surfshark, CN=Surfshark Intermediate CA 2021-08-02T20:19:53.420Z - stdout: 2021-08-02 20:19:53 VERIFY KU OK 2021-08-02T20:19:53.420Z - stdout: 2021-08-02 20:19:53 Validating certificate extended key usage 2021-08-02 20:19:53 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication 2021-08-02 20:19:53 VERIFY EKU OK 2021-08-02 20:19:53 VERIFY OK: depth=0, CN=us-nyc-st002.prod.surfshark.com 2021-08-02T20:19:53.479Z - stdout: 2021-08-02 20:19:53 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1635', remote='link-mtu 1583' 2021-08-02T20:19:53.480Z - stdout: 2021-08-02 20:19:53 WARNING: 'auth' is used inconsistently, local='auth SHA512', remote='auth [null-digest]' 2021-08-02T20:19:53.480Z - stdout: 2021-08-02 20:19:53 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, peer certificate: 2048 bit RSA, signature: RSA-SHA256 2021-08-02T20:19:53.481Z - stdout: 2021-08-02 20:19:53 [us-nyc-st002.prod.surfshark.com] Peer Connection Initiated with [AF_INET]92.119.177.21:1443 2021-08-02T20:19:54.588Z - stdout: 2021-08-02 20:19:54 SENT CONTROL [us-nyc-st002.prod.surfshark.com]: 'PUSH_REQUEST' (status=1) 2021-08-02T20:19:54.845Z - stdout: 2021-08-02 20:19:54 PUSH: Received control message: 'PUSH_REPLY,dhcp-option DNS 162.252.172.57,dhcp-option DNS 149.154.159.92,redirect-gateway def1,sndbuf 524288,rcvbuf 524288,explicit-exit-notify,block-outside-dns,route-gateway 10.7.7.1,topology subnet,ping 60,ping-restart 180,ifconfig 10.7.7.7 255.255.255.0,peer-id 0,cipher AES-256-GCM' 2021-08-02T20:19:54.847Z - stdout: 2021-08-02 20:19:54 Options error: Unrecognized option or missing or extra parameter(s) in [PUSH-OPTIONS]:7: block-outside-dns (2.5.2) 2021-08-02T20:19:54.849Z - stdout: 2021-08-02 20:19:54 OPTIONS IMPORT: timers and/or timeouts modified 2021-08-02 20:19:54 OPTIONS IMPORT: --explicit-exit-notify can only be used with --proto udp 2021-08-02T20:19:54.849Z - stdout: 2021-08-02 20:19:54 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified 2021-08-02 20:19:54 Socket Buffers: R=[131072->425984] S=[87040->425984] 2021-08-02 20:19:54 OPTIONS IMPORT: --ifconfig/up options modified 2021-08-02 20:19:54 OPTIONS IMPORT: route options modified 2021-08-02 20:19:54 OPTIONS IMPORT: route-related options modified 2021-08-02 20:19:54 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified 2021-08-02 20:19:54 OPTIONS IMPORT: peer-id set 2021-08-02 20:19:54 OPTIONS IMPORT: adjusting link_mtu to 1658 2021-08-02 20:19:54 OPTIONS IMPORT: data channel crypto options modified 2021-08-02 20:19:54 Data Channel: using negotiated cipher 'AES-256-GCM' 2021-08-02T20:19:54.851Z - stdout: 2021-08-02 20:19:54 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2021-08-02T20:19:54.852Z - stdout: 2021-08-02 20:19:54 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key 2021-08-02T20:19:54.853Z - stdout: 2021-08-02 20:19:54 ROUTE_GATEWAY 10.1.0.1 2021-08-02T20:19:54.854Z - stdout: 2021-08-02 20:19:54 ERROR: Cannot ioctl TUNSETIFF tun: Function not implemented (errno=38) 2021-08-02 20:19:54 Exiting due to fatal error
I get this specific failure no matter what base OS the Docker image uses (both Ubuntu and Alpine). The only important factor seems to be that the docker image trying to use the openVPN client is running on an aarch64 host (and that the arm64 image is then pulled from the manifest).
Change History (2)
comment:1 Changed 3 years ago by
comment:2 Changed 21 months ago by
Resolution: | → wontfix |
---|---|
Status: | new → closed |
We can't help anyone if people are not talking to us.
Closing this as WONTFIX, as this is outside OpenVPN control anyway.
Things do work when running OpenVPN on a Linux/Docker? (or Kubernetes) Container, provided /dev/net/tun
exists - so, no idea what Apple Containers need here.
OpenVPN on ARM64 generally works fine (confirmed with Tunnelblick on an MBA M1).
This seems to be something with the Docker stuff, which refuses one of the ioctl() calls we need to set up the tun interface properly.
Why that would happen, I do not know.
Is this "MacOS on M1, with Docker and Linux inside" or "Linux on M1, with Docker and Linux inside"? Not sure Docker can translate this sort of kernel calls...